Nereus Finance, an Avalanche-based lending protocol, lost $371,000 worth of USDC in a smart contract exploit. A blockchain security firm CertiK detected the hack on September 6. It said the attack impacted liquidity pools on Nereus relating to decentralized exchange Trader Joe and Curve Finance, an automated market maker.
CertiK believes the underlying protocols themselves were impacted. But Curve Finance tweeted that maybe the security meant “assets impacted”, and not “protocols impacted”. It said that only Nereus Finance and its assets seem impacted. Nereus Finance released a detailed report of the incident on September 7. It revealed that an exploiter deployed a smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.
The hacker was able to mint 998,000 worth of Nereus’ native token NXUSD against $508,000 worth of collateral. They swapped the capital into different assets through various liquidity pools and managed to get away with a net profit of $371,406 once the flash loan was returned. The incident created $500,000 of NXUSD “bad debt” in the NXUSD protocol. The Nereus team quickly remedied the situation. It consulted security experts and developed a mitigation plan. The protocol also notified law enforcement. It liquidated and paused the exploited JLP market. Nereus paid off the “bad debt” using NXUSD from the team’s treasury.
The protocol believes the hacker achieved his feat because of a missed step in the price calculation. Nereus said no users’ funds are at risk, and NXUSD continues to be over-collaterialized. It added that the Lending and Borrowing protocol was not affected by the exploit.